This analytic rule detects suspicious usage of the `bcdedit` command, specifically when it is used to reconfigure a Windows host from safe mode back to normal boot mode. This behavior might indicate malicious activity, particularly from ransomware attackers like BlackMatter, who often manipulate boot configurations to initiate the encryption process. The detection relies on logs primarily from Endpoint Detection and Response (EDR) tools that capture command-line executions of `bcdedit.exe` paired with parameters indicative of changing boot settings, such as `deletevalue`, `current`, and `safeboot`. If executed maliciously, this command could grant attackers continued access to critical system operations and facilitate further exploitation of the host, leading to potential data encryption and loss.